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Differential phase shift quantum key distribution systems have a high potential for achieving high 
speed key generation. However, its unconditional security proof is still missing, even though it has 
been proposed for many years. Here, we prove its security against collective attacks with a weak 
coherent light source in the noiseless case (i.e. no bit error). The only assumptions are that quantum 
theory is correct, the devices are perfect and trusted and the key size is infinite. Our proof works 
on threshold detectors. We compute the lower bound of the secret key generation rate using the 
information-theoretical security proof method. Our final result shows that the lower bound of the 
secret key generation rate per pulse is linearly proportional to the channel transmission probability 
if Bob's detection counts obey the binomial distribution. 
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I. INTRODUCTION 

Quantum key distribution (QKD) allows two distant 
parties to share secret keys that are unconditionally se- 
cure. Until now, there have been several kinds of QKD 
protocols. The traditional BB84 protocol is one based on 
qubits, in which Alice sends Bob a sequence of qubits to 
establish a secret key On the other hand, there are 
other non-qubit-based protocols, such as the continuous 
variable QKD scheme [E IE H|. I n these two protocols, 
regardless of whether qubit states or continuous states 
are used, each state (or state pair) received by Bob di- 
rectly gives rise to one bit value. In contrast, in differ- 
ential phase shift (DPS) QKD, information is encoded in 
the difference between each two adjacent quantum states 
[E IE 0] ■ Of the above protocols, the last one is designed 
to achieve high speed communication. In Ref. @, Dia- 
manti, et al. have realized DPSQKD with a modulation 
frequency of 1 GHz. 

DPSQKD is well suited for coherent-state sources as 
information is encoded in the relative phases of coher- 
ent states. Coherent-state sources can also be used 
with other protocols, for example, the BB84 protocol 
with phase-randomized coherent states Q whose per- 
formance is substantially improved by the decoy-state 
method 0, El El EE EI EE EE E3 , the BB84 protocol 
with phase-non-randomized coherent stat es 11811 . and the 
B92 pro tocol with strong reference pulses |l9l.l20l. l2lT ] (see 
also |22|). 

The unconditional security of the BB84 protocol is well 
discussed (e.g., [E HE [Mill HE l!3 )■ For the CVQKD 
protocols, its security against collective attack is also well 
discussed [E II H!]. However, for DPSQKD, wc only 
know that it is secure against several specific attacks, e.g., 
the beam splitting attack and the intercept and resend- 
ing attack [E [2^ | . Until now, we do not know whether it 
is secure against any quantum Eve even in the noiseless 
case. On the other hand, specific attacks on DPSQKD 
have been proposed to evaluate upper bounds on the se- 
cret key generation rates of DPSQKD [H EH, H HE HI . 



In this paper, we prove the security of DPSQKD 
against collective attacks [3|| with a weak coherent light 
source in the noiseless case. The security in this case fol- 
lows from a key result that we will prove in this paper, 
namely that Eve's state is independent of the positions 
of Bob's detected signals. This result makes sense since 
the fact that there is no bit error restricts what Eve can 
do to Bob's signals. In particular, she has to ensure that 
Bob receives all signals with equal intensities, since sig- 
nals with different intensities will result in bit errors with 
non-zero probability. Our final result on the lower bound 
on the key generation rate is a function of the estimated 
parameters of the channel (see Eq. (|5u| ). In order to 
understand this result further, we compute this bound by 
considering a channel that produces a binomial distribu- 
tion in Bob's detection statistics. Specifically, we show 
that the lower bound of the secret key generation rate per 
pulse is linearly proportional to the channel transmission 
probability (see Eq. (p5)l ). 

The only assumptions used in the proof are that quan- 
tum theory is correct, the key size is infinite and the 
devices are perfect and trusted. Our proof works on 
threshold detectors, which are the detectors commonly 
used in practice. Furthermore, we do not require quan- 
tum non-demolition (QND) measurements. Even though 
we consider collective attacks in this paper, we speculate 
that it is possible for us to extend our security proof to 
the most general attack, namely the coherent attack. An 
intuitive justification tells us that Eve cannot get more 
information from coherent attacks than that from col- 
lective attacks as the key size goes to infinite [IE H3- 
For the finite dimension case, there is a exponential de 
Finetti theorem that can strictly give this result [H, H^] . 
However, for DPSQKD, the states sent by Alice are weak 
coherent states and thus in theory the dimension of Bob's 
received states may be infinite. Thus, the current de 
Finetti theorem cannot be directly applied. On the other 
hand, there are three potential ways to solve this prob- 
lem. Since in practice the states sent by Alice are weak 
coherent states and the probability that Bob gets a large 
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photon number is extremely small, it is possible to prove 
that Alice and Bob's states can be well approximated by 
states that have a finite support. Then the current de 
Finctti theorem can be applied. The second way is to 
extend the current exponential de Finetti theorem to the 
infinite dimensional case. We can see a hope of this in 
Rcf. 40] . The third way is to extend the current de 
Finctti theorem to the case with finite number of mea- 
surement results, since we know that in DPSQKD, Bob's 
measurement results are finite. The work in Ref. 
also shows that this way may be viable. 

We note that there is also a recent proof [4l[ on 
the DPS protocol. Their proof assumes a single-photon 
source and requires QND measurements, whereas our 
proof allows a more general weak coherent light source 
and does not require QND measurements. On the other 
hand, their proof can handle the noisy case and applies 
to the most general attack, whereas ours can only handle 
noiseless collective attacks. 

In the following analysis, we map the traditional DPS 
protocol into a big-state protocol and give the security 
proof for this big-state protocol. In doing so, we prove a 
key result of our paper, which is that Eve's state is inde- 
pendent of the positions of Bob's detected signals. With 
this result and some properties of the mutual informa- 
tion, we can upper bound Eve's information about Alice's 
bit string. Finally, we evaluate the key rate assuming a 
typical setting in which the detection statistics follows 
the binomial distribution. The security proof method we 
employ is the information-theoretical one by Rcnner, et 

al. [33, m. 
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FIG. 1: Illustration of the protocol 1, where the PM denotes 
the phase modulator 



4. Alice generates another variable U — Xi Xi — \ 
for i > 1. 

5. After many rounds of such communications, Al- 
ice and Bob randomly publish some of U and yi 
corresponding to Zi = 1 to test the bit error rate 
(BER) between them. 

6. Alice and Bob generate new binary variables uf 
and uf respectively. Alice sets u A = k ■ Z{. Bob 
sets uf =yi- Zi. 

7. Alice and Bob estimate the mutual information 
between the binary strings u A and u B conditioned 
on Bob's announcement. 

8. Alice announces the error correction information 
of binary string u A and Bob uses it to reconcile his 
string u B to the corresponding string u A . 

9. Alice and Bob perform privacy amplification on 
their common binary string u A to generate the final 
secret key. 



II. EQUIVALENT PROTOCOLS 

A. Protocol 1 - original protocol 

Quantum Phase: 1. Alice sends a sequence of coherent 
states, each with amplitude a, but with a randomly 
selected phase, \a) or | — a), to Bob. Then she 
records each state with a binary variable Xi, by 
setting Xi = if the i-th state is | — a) and Xi = 1 
if the i-th state is \a). 

2. Using the Mach-Zehnder (M-Z) interferometers 
shown in Fig. 1, Bob measures the phase difference 
between every two adjacent states. Bob stores his 
measurement result into binary variables yi and Zi . 
While measuring the phase difference of the i-th 
and (i — l)-th state, if Bob gets a photon count, he 
sets Zi = 1 and if not, he sets z,; = 0. Also, if i = 
kN + 1 (k = 0, 1, 2, 3, ...), Bob sets z t = 0. If z t = 
1 and the measurement results indicates that the 
phase difference is zero, he sets yi = 0; otherwise, 
if it indicates a non-zero phase difference, he sets 
yi = 1. If Zi = 0, Bob sets yi = 0. 

Classical Phase: 3. After Bob receives each set of N 
states, he announces all Zi's for these N states. 



Instead of steps 6-9, Alice and Bob can simply discard 
the U and yi that correspond to Zi = 0, and perform er- 
ror correction and privacy amplification on the remaining 
sifted bits. This protocol is then equivalent to the original 
DPSQKD protocol 0,0). In this protocol, Bob measures 
the phase difference between every two adjacent pulses. 
Thus, it may not be a good idea to try to map them into 
single bits and then discuss the security. Here, our basic 
idea is to regard N states as one big state and to discuss 
the security of this big state. In the following, we will 
introduce three protocols that map the above protocol 
into a big state protocol, in which Alice sends Bob a big 
state and Bob measures it with N equipments. The se- 
curity of these three protocols are weaker than the above 
one. Thus, if the security of these inferior protocols are 
proved, then the security of the above protocol is proved. 



B. Protocol 2 

In step 1, according to the binary string x = 
(xkN+i,XkN+2,—,X( k+1 ) N ), Alice generates a state 

(fc+l)JV 

) = <S> \(-l) Xl+1 a) and sends it to Bob through 

i=kN+l 

N fibers. In the quantum channel, there is a quantum 
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FIG. 2: Illustration of Protocol 2, where the QM system is a 
quantum memory that stores the N received states and sends 
out them one by one. 
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FIG. 3: Illustration of Protocol 3, where Bob's measurement 
equipment is not shown in detail. 



memory (QM) system that separates \^~) into an N- 
state sequence and sends each state to Bob one by one 
through one fiber (see Fig. Steps 2-9 remain the 

same. 

There is no difference between Protocol 1 and Protocol 
2 at Bob's side. The only difference between them is that 
in Protocol 1 Alice sends Bob each coherent state one by 
one and in Protocol 2 Alice sends them all together. The 
QM system that separates the big state into an A-state 
sequence can be realized by storing the big state and 
sending each state one by one. In Protocol 2, the QM 
system can be controlled by Eve. However, it can be seen 
that if the QM system is put at Alice's side and cannot be 
controlled by Eve, Protocol 2 is equivalent to Protocol 1. 
Therefore, the security of Protocol 2 is weaker than that 
of Protocol 1 . Therefore the secret key rate of Protocol 
1 is no less than that of Protocol 2. 



C. Protocol 3 

As shown in Fig. [3] in step 2 of Protocol 2, Bob stores 
the received pulses in another QM system. After receiv- 
ing N pluses, Bob reads out the stored N signals one 
by one through N fibers and measures their phase differ- 
ences via M-Z systems which should be equivalent to the 
measurements in Protocol 1 (these M-Z systems can be 
realized by the detection equipments shown in Fig. 0]). 

It can be seen that if the QM system is at Bob's side 
and cannot be controlled by Eve, then Protocol 3 is the 
same as Protocol 2. Since in Protocol 3 this QM system 
can be controlled by Eve, the security of Protocol 3 is no 
stronger than that of Protocol 2. 




FIG. 4: Illustration of Protocol 4, where the delayer generates 
the time delay that makes the two pulses meet at the beam 
splitter before the detector. 



D. Protocol 4 



In step 1, Alice generates a state | ) = 

(k+l)N 

(g) \(-l) x i +1 a ) and sends it to Bob through N fibers. 

i=kN + l 

In step 2, while receiving this big state, Bob measures the 
phase difference between each two adjacent states at the 
same time with the equipment shown in Fig. [5] Steps 
3-9 remains the same as in Protocol 1. 

It can be seen that the only difference between Proto- 
col 3 and Protocol 4 is that in Protocol 3 Bob measures 
each phase difference one by one, but in Protocol 4 Bob 
measures them all together. Since different detectors just 
measure different field quadratures, the measurement op- 
erators that describe these detectors commute with each 
other. Therefore, there is no difference between measur- 
ing the phase difference one by one and measuring them 
all together. Thus, Protocol 4 is equivalent to Protocol 
3. 

Since Protocol 4 is inferior to Protocol 1, in the follow- 
ing we will prove the security of Protocol 4 first. Then 
the security of Protocol 1 follows. 
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III. SECURITY DISCUSSION 



Then for a given z, u A can simply be given by 



Here we only discuss the security against the collective 
attack under the infinite-key-length case. It means that 
Alice sends Bob infinite number of the quantum state 
\^s) m ^ e remar k that we do not place any restriction 
on the block length N, which can be finite. Under the 
collective attack scenario Eve attacks each state individ- 
ually with the same superoperator and the state Alice 
and Bob share is a state that can be written as a prod- 
uct state. This means that after Alice sends Bob M big 
states, the state Alice, Bob and Eve share can be written 
as (pA BE ) mi , where p% E is evolved from Then 
it is enough for us to only discuss the possible attacks to 
a single state [H}. We also assume that quantum 

theory is correct, the device can be trusted and Bob's de- 
tectors are ideal [42[ . In the following we assume that x, 
y, z, I, u A and u B are the binary strings Alice and Bob 
obtain from one state with x = (x\,X2, ...,xn), 

y = (2/1,2/2; ■■■Un), and similar for the others. Let X, Y, 
Z, L, Ua and Ub denote the variables that can take the 
values x, y, z, I, u A and u B , respectively. Let Xi, Yi, 
Zi, Li, U A , and U B denote the variables that can take 
the values Xi, yi, Zi, li, uf, and uf respectively. In Ref. 
[37l . [4^ . it has been shown that under the infinite-key- 
length case the secret key rate is given by the difference 
between mutual informations. In the above protocols, 
Ua and Ub are the final variables that are used to distill 
the secret keys. Then for Protocol 4, the secret key rate 
per big state is given by 



G > I(U A : U B \Z) - S(U A : E\Z) 



(1) 



where I and S denote the Shannon mutual information 
[44| and the Von Neuemann mutual information [45[ re- 
spectively. Here the I(U A : U B \Z) and S(U A : E\Z) are 
respectively given by 



I(U A :U b \Z) 
S(Ua : E\Z) 



E,ms(u A 



U B \Z 
E\Z = 



(2) 



Before discussing the properties of these two mutual in- 
formations, we introduce the following notations. Wc in- 
troduce vectors w(z) and c(z) in relation to Bob's count- 
ing results. Let w(z) denote the weight of z, which gives 
the total number of 1 in z. Let Ci(z) denotes the position 
of the i-th 1 in the string z. 

From step 6, we see that uf = l{ ■ Zi. Since if 
Zi = we have uf = 0, u A can be given by u A = 
(0,..,i ci (5),.0,"jic„ ( s5(^)")0). For a given z, we can 
change the order of elements and write u A as u A = 
( l Cl (z)J C2 (z), ■; l c wig) (z),0, --O)- For convenience, we intro- 
duce lg and yz, which are given by 



h = (l Cl (z),l C2 (z), ■■: l c ul(s) (z)) 

yi = {y Cl (z)iyc 2 {z)i ••! y Cu](g) (z)) 



u A = (k,0) 

where is the zero vector of length N — w(z). Now we 
introduce random variables Lg and Yg of length w(z) that 
take on values lg and yg: 



Lg — (l/ Cl (J-), i C2 (2)l "! ^C m(i -)(z)) 
Yg — \Xci(z)l Yc 2 (z), "! ^C ro ( ? )(2)) 



(4) 



Then for a given z, Ua can be given by 

U A = (Lg,0) (5) 

and similarly we have 



u B = (yg,0) 
Ub = (Yg, 0) 



(6) 



(3) 



Now we can rewrite the mutual information given by 
Eq. © as follows. 

10 A :U B \Z) 
= P{z)I{Lg © : Yg Q\Z = z) 

Z 

= Y^P{z)[H{Lg®Q\Z = z) 

+H(Yg 0\Z = g) - H(Lg © 0, Yg © 6\Z = z)] 

= Y^P{z)I(Lg:Yg\Z = z) (7) 

where H(-) is Shannon entropy [44[, in the second line we 
have applied the results given by Eq. ([5]) and (J6j) , in the 
third line and forth line we have used the definition of the 
Shannon mutual information [44| and in the fifth line we 
have used the formula, H{AB\C) = H(A\BC)+H(B\C), 
and the fact that the entropy of a given vector is zero and 
H(-\Z = z,0) = H(-\Z = z) (0 is generated from z). In 
the same way, we have 

S(U A : E\Z) = P{z)S{Lg : E\Z = z). (8) 

z 

Then from Eqs. ([7]) and (jHJ), the final secret key rate per 
N pulses is given by 

G>Y J P(^)[I{Lg:Yg\Z = z) 

-S(Lg:E\Z = z)}. (9) 

If Alice and Bob just discard all U and yi correspond- 
ing to Zi = 0, and perform error correction and privacy 
amplification to the sifted key, according to Ref. [37| the 
secret key in this case is also given by Eq. ©. Therefore, 
instead of steps 6-9, Alice and Bob can simply introduce 
such post-selection step. 
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IV. SECURITY PROOF 

Before giving the security proof of the DPS protocol, 
we will show the main idea of our security proof. In the 
DPS protocol, what Alice sends to Bob are two weak co- 
herent states. Since these two states are non-orthogonal 
Eve in principle cannot always distinguish them and can- 
not always know the phase difference between two adja- 
cent pulses. The mutual information per pulse between 
Alice and Eve is thus less than one. Bob uses the M-Z 
system to measure the phase difference between two ad- 
jacent pulses. This system can let Bob definitely know 
the deterministic phase difference between the two pulses 
with certain probability (Bob can definitely know the 
phase difference if he gets a count.). Finally Alice and 
Bob only keep the measurement results of the phase dif- 
ferences that Bob has good knowledge of. The point is 
that either Bob knows that Eve has obtained good infor- 
mation on a pulse pair (in which case he has not gotten a 
photon count and this result is discarded) or Bob knows 
more about this result than Eve does (in which case Alice 
and Bob proceed to distill a secret key by applying er- 
ror correction and privacy amplification to many of such 
result). In the following, we will rigorously prove this 
when there is no bit error. First, we prove that under 
the no-bit-error case Eve's state is uncorrelated with the 
permutation of z, which means that Eve's state is in- 
dependent with the position of Bob's detections. Then 
we show that Eve's average information about the sifted 
keys is only determined by the total number of Bob's de- 
tections. Since the maximum total information Eve gets 
from Alice is restricted by Alice's modulation, through 
several properties of the mutual information, we can give 
an upper bound to Eve's information on the sifted data. 
Then the security of the DPS protocol under the no-bit- 
error case is proved. 

Here, we only limit our analysis to the no-bit-error 
case. For a collective attack, it is enough to only discuss 
the attack for a single communication [371 ]. Therefore, in 
the following we only discuss the possible attacks for a 
single state \^^)- Before giving the security proof, we 
introduce the following notations. As shown in Fig. 2J 
the annihilation operator of the input fields on the i-th 
path at Bob's side is denoted by ai. The vacuum inject 
mode on the beam splitter corresponding to the z-th fiber 
at Bob's side is denoted by hi. The output modes to the 
detectors that detect the phase difference between the i- 
th signal and i — 1-th signal are described by d° and d\ , 
with and 1 describing the lower and upper detectors 
respectively (See Fig. 2]). In the following, we denote 
the detectors that correspond to the modes c?° and d\ by 
DET° and DET>. 

We assume that Bob and Eve's conditional states con- 
ditioned on Alice's modulation is p EE . Now we will prove 

that if there is no bit error, the reduced state p E ' x ' z , 
which denotes Eve's conditional state after Bob's an- 
nouncement of detected signals, is independent of the 
permutation of z. With this result and several proper- 



ties of the entropy, we can give a lower bound to Eq. 
©■ 



A. Permutation invariance of Eve's state to z 

In this subsection we give the description of Bob's mea- 
surement first. Then we prove a requirement implied by 
the no-bit-error condition. Finally we prove that Eve's 
state is invariant under the permutation of z. 

From Fig. 2J we can see that the output modes g?° and 
d\ can respectively be given by 



dj = |(o,- - 



Oi_i) + - h) 



To simplify Eq. (|10|) we introduce d\ and v\ : 

3} = \iai + ai-{) 



and 



vac- 
vac® 



(10) 



(11) 



(12) 



Since the phase factor i can be absorbed into the an- 
nihilation operators, the output modes d® and d\ can 
simply be given by 



J? 



vac 



(13) 



In our security analysis we can safely assume that Eve 
holds the purification of p E '^. This means that we can 
safely assume that p EE is a pure state (37j . Let l^^^) 
denote the pure conditional state Bob and Eve share. 
According to the Schmidt decomposition (see, e.g., [45j). 
\^eb) can b e decomposed into several orthogonal states, 



I* 



N,S\ 
EBi 



N.x 
E.k 



I* 



N,x\ 
B.kl 



(14) 



For convenience, in the following we denote the I gen- 
crated from x by l x . 

The no-bit-error condition can be described as follows. 
If there is no phase difference between the i-th and i— 1-th 
states, in principle the DET} detector should not gener- 
ate a count; and if there is phase difference, the DET® 
detector should not click. It can be seen that this condi- 

N x 

tion actually requires that the output mode gL* of p E g 

corresponds to the vacuum state, i.e., d!^ \^ E g)\vac) = 0, 
where if = If 1 and \vac) describes the vacuum state 
injected through the hi mode. Since in Eq. (| 13[) . the 
annihilation operator vac\ (j = 0, 1) acts on the vacuum 
state, we can simply discard the vacuum mode. Then the 
no-bit-error condition can be rewritten as 



0. 



(15) 
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From Eqs. JT3J) and ([TT|). wc know that Eq. (JTSj) is 
equal to 

[a i + (-l)'?+ 1 a i _ 1 ]|<f) = 0, (16) 



for arbitrary i > 1 and fc. Eq. (|16|) gives the no-bit- 
error condition. This analysis can be summarized by the 
following Lemma. 

Lemma 1 : If there is no bit error between Alice and 
Bob, Bob's state satisfies 



= (-l)Wi|<f>- (17) 
Since d% = §[a< + (-l)'«Oi_i], from Eq. fTTj). we get 



(18) 



Eqs. (|15|) and (|T8[) give us the relationship between the 
input modes and the output modes of the M-Z system 
under the no-bit-error case. With this Lemma we can 
prove the permutation invariance of Eve's state to z fi- 
nally 

Combining Eqs. (fTf]) and (fl8|) and the result that if = 
Xi © we have 

(-ir i 4 ? i^i> = (-ir i '^'Kf) (19) 

for arbitrary i, i' and k. It can be seen that Eq. (fT9|) can 
be generalized to 

(-l)^ + ^+-+^4^J...rfJ|^) (20) 



J 1 , J?, JJ 



■B,fe/ 



for arbitrary integer i p > 1, i' p > 1, fc and q, where the 
subscription p = 1, . . . , q (p comes from i p ). 

Bob's measurement is a projection. The detector 
DETf maps the received state into the photon number 
space {\vac)(vac\, |1)(1|, ■••}• This projection subspace of 
DET? can be given by 



Mapf = {Ml = -(di + y\vac}(vac\(dir, \v = 0, 1, ...}, 

(21) 

where v denotes the number of photons received by the 
detector DET? . 

Since d\ is composed by an operator acting on the re- 
ceived state and an operator acting on the vacuum state, 
from Eqs. (fl3]l . ([20]) and ([2T]). it can be seen that for 
arbitrary integer i, i', v and k we always have 

(vac\(^i\Ml!\^i)\vac) = {vac\{^%\Mf v \^%)\vac) 

(22) 

where \vac) denotes the vacuum state injected through 
the bj mode and this equality holds for v = because 
the modulus of the projection to the vacuum state plus 



that to other states equals to one. Since \vac) is always a 
vacuum state, in the following we just leave it out in our 
expression for convenience. Eq. (|22|) can be expended to 
the multi-detection case as follows: 



N,x 



H 

I s , 



■M, 



■ v„ I^B.fc/ 



fiM.; 1 ■■■M.; q i$^f) 



(23) 



where we have introduced subscripts 1,2,..., and q to enu- 
merate different operators and have omitted the vacuum 
state part. 

From Eqs. (Q3J) and (j2"3")) it can be obtained that 



(24) 



(\fj N ' S \M 1 ■ ■ ■ M " \y N ' S ) 



N,S\ 



Also from Eqs. (fl~5|) and (f2Tj) it can be seen that if j ^ If 
and d>0wc always have 



N,x\ 



= 0. 



(25) 



With the above results, we can evaluate Eve's con- 
ditional state conditioned on Bob's announcement. We 
know that if Bob maps his state into the subspace M = 
|/3) (P\ (for convenience we denote it by (3) then Eve's 
state will collapse to the state 



N,x,/3 _ 

Pe 



tr EB Mp N E %M+ 



(26) 



where p EE is the state Eve and Bob share before Bob's 
measurement [45| . In our security analysis we can con- 
sider the worst case (favoring Eve), in which the state 

Peb ^ s P ure an d described by l^^g). For the pure state 
case, Eq. (f26|) becomes 



I* 



N,x,8\ 



<*Km*K>i*K> 



KbW\Kb) 



(27) 



where we have used Eq. (1141) and the results that M — 
M+ = MM+. 

Bob's announcement z corresponds to several possible 
orthogonal subspaces given by 



Ci(^),«i C 2 (Z),V 2 C ra (2)(2),^u,(£) 

<g)\vac)(vac\\j q = 0,1; v q > 0}, (28) 



where j = - > j w (g)}, v = {v 1} v 2 , v w ^}, v > 

means all of its element v q is larger than zero, the element 
M Jq , ^ corresponds to the measurement result that de- 

tector DET 3 c q ^ receives v q photons and \vac)(vac\ de- 
notes other detectors have not received any photon. The 
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set of all operators Si ff>0 's only spans a subspace. From 
Fig. [4] we can see that one mode coming from the 
first pulse and one mode coming from the N-th pulse 
are not detected by Bob (or the measurement results 
of them are discarded by Bob). Therefore we need to 
also consider Bob's undetected subspace. We assume 
Bob's undetected subspace (or the measurement results 
of which are discarded) is spanned by the orthogonal ba- 
sis {\Ri}, \R 2 ), ...}• Then all S| ff>0 's and |i? 4 )'s make 
up a complete set of projections for Bob. An announce- 
ment z corresponds to several measurement results. Each 
result corresponds to a collapsed state of Eve. Then 
an announcement z collapses Eve's state into a mixed 
state made up by several pure state. For convenience, 

we let Ri denote the projector \Ri)(Ri\. Then Sl~ 



>o 



is orthogonal to Ri. From Eqs. ([3]) and (f25|) we know 
that for a given x, z, if j ^ If, it is always satisfied that 



(«l%>ol*k*/ 



and ISl^^fl) = 0, 



where the second equality comes from the fact that Si - >0 



is orthogonal to Ri. Then after we generalized Eq. (|27|) 
to the multi-operator and multi-measurement-result case, 
we know that if Bob's announcement is z, then Eve's con- 
ditional state becomes 



P(z\x) 



N ,x,z 

Pe 



£ 

v>0,i 



(29) 



•Proj( 



;iV.: 



;iV.: 



k 



^M^oRiKI) 



where Proj(|<I')) denotes the state |*)(*|, 



We know that P(z, x) = P(z\x) ■ P(x), P(x\z) = 
P(z,x)/P{z) and P(z) = Y,x P \^x), so from Eqs. ^ 
(l30l) and (I3T1) it can be obtained that 



P(z\x) = P(Z\$) 
P(z,x) = P(z,x) 

P{z) = P{2) 
P(x\z) = P(x Iz 1 ) 



(32) 



for w{z) = w(z'). 

By combining Eqs. (j24j) . (|29]) . (|30|) . f3"T]) and f32"j) we 

obtain our final result: 

Lemma 2: If there is no bit error and w(z) = w(z'), 
we always have 



N,x,z N,S,z' 

Pe = Pe 

N,z N,z 

Pe = Pe 



(33) 



The second equation in the Eq. (|33j) is derived from 
Eq. (j32|) and the fact that p^ z = '^2 3 P{x\z)p I ^ ,x ' z . 
Eq. |33|) shows that Eve's conditional state is only de- 
termined by the total number of Bob's detections and 
is independent of the positions of the detections. This 
means that only the weight of z matters, and we can use 



N,x,t 



to 



this instead of z. In the following we introduce p E 
denote the same conditional state that Eve holds for any 
z with weight i, i.e., 



(2) 



t = w( 

N,x,t N,x,z 

Pe = Pe 



(34) 



Here p^' x,t can be regarded as Eve's conditional state 
while Bob only announces the total number of his detec- 
tions. 

With this new notation, we can simplify the expression 
of the mutual information discussed in the following. 



P(z\x) = ^(KM* >0 \*M) 



v>0 



(30) 



describes the conditional probability of announcement z 

for a given x, (^EB\ S £ff>o\^EB) S ives tne probability 
of the measurement result corresponding to the operator 

S/$>o ancl we nave use d the result that if j ^ If, then 



0. 



It can be seen that for the detector DET( the projector 
to the vacuum state, \vac)(vac\, can also be written as 
M/ . Then from Eqs. and (J2SJ), it can be seen that 
if w(z) = w(z'), then 



(^B:!\s l i, >0 RiKi) 



(K:t\s l ^ >0 RiK:l), 



(31) 



where we have used results that the output mode dj is 
a vacuum state and Si - >0 is orthogonal to Ri. 



B. Discussion of Eve's information 

Since Eve's state is invariant under the permutation of 
z, it is possible that Eve's information about Alice's bit 
string can also be bounded by a term that only depends 
on Bob's total detection count (the weight of z). In this 
subsection we upper bound Eve's information about Al- 
ice's bit string by a term that is only conditioned on Bob's 
total detection count by applying the super-subadditivity 
result proved in Appendix A. Then we give restrictions 
on Eve's information by using the fact that the maximum 
information Eve can get on Alice's bit string should be 
no larger than the Holevo quantity [45[ of the states sent 
by Alice and the fact that the conditional mutual infor- 
mation should be no larger than the entropy of Alice's 
modulation. With these restrictions it is possible for us 
to give an upper bound to Eve's information about Al- 
ice's bit string. 

First we define 



F(w) := ^P{z\W = w)S(Lg : E\Z = z) 



(35) 
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where we have introduced a variable W that can take the 
value of w(z) and -P(i*|VF = w) denotes the probability 
of z when w(z) — w. 

From Eq. (JSJ) we know that Eve's information about 
Alice's bit string can be rewritten as 

N-l 

S(U A : E\Z) = P(w)F(w). (36) 

w=l 

Now we will see that the F(w) is no larger than a term 
that only depends on the total count w. 

According to the definition of Von Neumann mutual 
information |45j |. the mutual information between Alice 
and Eve conditioned on Bob's announcement z can be 
given by 

S(Lg : E\Z = z) = S{p N /) Y^P(h\z)S(p^) (37) 

where P(lg\z) is the probability that Lg takes the value 
of lg while Z — z, 

p N,lg,z = P(x\l Z ,z)Pz' X ' Z , 

xer(fy) 

T(lg) is the collection of all x's that satisfy X Ci tg\ © 
x Ci(z)— l = (Jz)i and P(x\lg,z) is the probability that X 
takes the value of x while Lg = lg and Z = z. 

Also From Eq. (J22) we know that the conditional 
probability P(x\z) is actually only conditioned on the 
weight of z, so we can introduce P(x\w(z)) to denote 
P(x\z). Since lg is part of I and / is generated from 
x, the conditional probability P(lg\z) is also only condi- 
tioned on the weight of z. Therefore we can also write 
P{lg\z) as P(lg\w{z)) and P(x\lg,z) as P(x\lg,w(z)), 
where P(x\lg, z) = P(x, lg\z)/P(lg\z), and P{lg\w{z)) de- 
notes the probability that Lg takes the value of lg while 
W = w(z). Then from Lemma 2 we know that p^' lg ' z 
can be written as p^ l: " wi * z \ Here, that the conditional 
probabilities, P(lg\w(z)) and P(x\lg,w(z)), and the con- 
ditional state pg> l *' w ( z ' > are conditioned on the weight of 
z means that they are conditioned on Bob's announce- 
ment of the total number of his detection count rather 
than the actual detection positions. 

Now we can use Lemma 2 to simplify S{Lg : E\Z = z) 
and thus F(w). From Lemma 2 and Eq. (|34p we know 

that p%' l *' z and pg' z in Eq. (|3T|) can be replaced by 

p *tX*rt*) and p £.™«. Then S{Lg : E\Z = z) becomes 

S(Lg : E\Z = z) = S(p^)-^P(lg\z^S(pf^) 
= S{Lg : E\W = w(z)) (38) 



where we have used the definition of the conditional Von 
Neumann mutual information which says 

S(Lg : E\W = w) = S(pf w ) Y^P(lg\w)S(pf?n 

(39) 

and the result P(lg\w) = P(lg\z) for w = w(z). Here 
S{Lg : E\W = w) is actually Eve's information about Lg 
while Bob only announces the total number of his counts. 
It can be seen that Eve's information about certain Lg 
does not change if Bob publishes detailed position of his 
detection or only the total number of his detection. 

We know that the mutual information S(Lg : E\W — 
w(z)) can also be given by 

S(Lg: E\W = w(z)) (40) 
= H(Lg\W = w(z)) - S(Lg\E, W = w(z)) 
< w(z) - S{Lg\E, W = w{z)) 

where we have used the fact that H(Lg\W — w(z)) < 
w(z). 

Then by inserting Eqs. (|38[) and ([4T)]) to the expression 
of F(w) given by Eq. ([33)1 we can immediately get 

F(w) <w- ^P{z\W = w)S{Lg\E, W = w) (41) 
where we have used the fact that ^P(z\W = w) = 1. 

z 

In the following it can be seen that the last term in Eq. 
([4"Tj) can be lower bounded by a term depending on Bob's 
total count, w. 

The probability /'(z'lW^ = w) for w{z) = w in Eq. (f4"Tj) 
can be given by 

. »,) . 

z' \ w(z f )—w 

= 1 (42) 

E 1 c n-i 1 1 

z' \w(z')—w 

where in the second line we have used the Eq. (f32|) . and 
Cjf_i = Y] 1 denotes the number of permutations 

z'\w(z')—w 

of w in N — 1. 

Since Lg can be regarded as w{z) selection from L, 
which is composed of N — 1 elements, by using super- 
subadditivity of entropy (which is proved in Appendix 
A), we have 

wC w 

S{Lg\E,W = w)> 1 ^-S{L\E,W = w). 

z\w{z)—w 

(43) 

Then by combining Eqs. ([IT]). (|4*2"j) and (|35]l. we can 
obtain 

ID -* 

F{w)<w-— — -S{L\E,W = w). (44) 
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Finally, from Eqs. (|36|) and (|44j) we know that Eve's 
information about Alice's bit string satisfies 



JV-l 



S{U A :E\Z)=Y J PMF W 



JV-l 



w—1 
JV-l 



< P{w)w - j^-j P(w)wS(L\E, W = w) 



W — 1 



(45) 



where we sum over w in the range of 1 to N — 1, because 
the maximum value of w is -/V — 1 and Alice and Bob 
discard the result while there is no detection. 

Eq. (|45[) gives us an upper bound on Eve's information 
about Alice's state, when there is no bit error. This upper 
bound no longer depends on Bob's counting positions 
denoted by z. Now the remaining problem is to find 
some practical restrictions, so that the upper bound of 
Eve's information can be calculated. 

Since all possible w is within and N — 1, it can be 
seen that 



JV-l 



P(w)S(L\E, W = w) = S{L\E, W). 



(46) 



w=0 



In the following we will see that if S(L\E, W) can be lower 
bounded, then S(Ua '■ E\Z) can be upper bounded. 

According to the definition of mutual information, 
S(L\E, W) can be expressed as 

S(L\E,W) = H(L) — S(L : E, W) 

= N-1-S(L:E,W) (47) 

where H(L) = N - 1, and S(L : E,W) is the mutual 
information between L and the combination of Eve and 
system W. 

Since L is generated from X and U = x Ci ©x Ci _i, given 
X\ and we can completely reconstruct x. Therefore, we 
have 



S(L, X 1 :E,W)= S{X : E,W). 



(48) 



Because discarding a subsystem never increases the mu- 
tual information [45j, Eq. (|48|) leads to 



S{L :E,W)< S(X : E,W). 



(49) 



The term S{X : E, W) is the mutual information be- 
tween Alice and the combination of Eve and system 
W. The system E, W can be regarded as a sys- 
tem locally generated from the original state, p®^ = 
^2^P(x)\^^}(^^\, sent out by Alice. Since local oper- 
ations cannot increase the mutual information, the max- 
imum mutual information S(X : E, W) should not be 
bigger than the maximum information one can obtain 
from the original state p® N , which is upper bounded by 



the Holevo quantity of |4 

n® 
Pa 



The Holevo quantity of 



® N is given by NS(A), where 



S(A)=h[\{l-\(-a\a) 



(50) 



is the entropy of a single state pa = ||— a)(— a| + ^|a)(a| 
and h(x) = — xlog 2 x — (1 — x ) log 9 ( 1 — x) is the binary 
Shannon entropy function (441. l45l|. Now we know that 



S(L :E,W)< NS(A). 



(51) 



Then from Eqs. ijiBj). (|47]) and (|5T|). we can derive the 
final constraint on Eve's conditional entropy, which is 
given by 



JV-l 



P(w)S(L\E,W = w) > 

W — 1 

(N - 1)[1 - P(w = 0)] - NS(A) =: K. 



(52) 



where we have used the fact that S(L\E, W = 0) < 
S(L) = N—l, and K denotes the first term in the second 
line. 

Eq. (1521) gives one constraint on S(L\E, W = w). 
There is also another trivial constraint on S(L\E,W = 
w), which is 



S(L\E, W = w) < S{L) = N - 1. 



(53) 



Then the remaining problem is to upper bound Eve's 
information (or to lower bound the secret key rate) under 
the constraints given by Eqs. (|5"2"]) and (IE 



C. Lower bound of the secret key rate 

In this part we will give the lower bound of the secret 
key rate based on the above analysis. From Eq. ([7]) 
it can be seen that if there is no bit error, the mutual 
information between Alice and Bob is 

I(U A ■ U B \Z)=Y J P{^)[H{L s \Z = z) 

z 

-H(L g \Yg,Z = z)]=Y,P{?)H{L s \Z = it) 

z 

where we have used the fact that if there is no bit er- 
ror H(Lg\Yg, Z = z)\ = 0. After the channel estima- 
tion Alice and Bob can compute this mutual informa- 
tion. It can be seen that if for all zs, Lg is evenly dis- 
tributed, this mutual information becomes maximized, 
and I(Ua ■ Ub\Z) = ^2gP(z) w (z)- For simplification, in 
the following we introduce a term A to denote the differ- 
ence between Bob's actual information and the maximal 
information he can get in principle: 



A = Y^PHw-I(U A ■ U B \Z). 



(54) 
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Then from Eqs. 0, ([45]) and we know that if there 
is no bit error the secret key rate per TV pulses satisfies 



JV-l 



G ^ W^l E P{w)wS{L\E, W = w) — A 



(55) 



where P(w) and A are known after the channel estima- 
tion. 

It can be seen that under the constraints of Eqs. ([52]) 
and ([55]) , the lower bound of the secret key rate given by 
Eq. ([53)) reaches its minimum when S(L\E, W = w) = 
for large values of w and S(L\E, W = w) = N — 1 for 
small values of w while satisfying Eq. ([52]) at the same 
time. Then the final lower bound on the secret key rate 
per N pulses is given by 



-A 



(56) 



where the wq is the solution to the equations 



J2 P(w)(N-l) < K 

w — l 

Wo+l 

P(w)(N-l) > K 

W — l 



(57) 



where K is defined in the Eq. ([52)) . This formula for 
the key generation rate in Eq. ([56]) is applicable to any 
N any distribution in Bob's detection statistics. In the 
next section, we will consider a particular distribution as 
an example. 



V. SECRET KEY RATE UNDER THE 
BINOMIAL DISTRIBUTION CASE 

We illustrate how to compute the key generation rate 
in Eq. (|56p derived in the previous section for a channel 
that produces a binomial distribution in Bob's detection 
statistics. We show that in this case the secret key gener- 
ation rate per pulse is linearly proportional to the channel 
transmission probability (see Eq. ([65]) ). 

Consider the specific case where Bob's total count 
obeys the binomial distribution, A = and N — ► oo. 
Under this case 



N- 



(58) 



where r denotes the detection rate per pulse. 

For the N — > oo case, the binomial distribution tends 
to the Gaussian distribution with the same mean and 
variance as P(w). For convenience of discussion of the 
N — ► oo case, here we introduce A denote the ratio of w 
over N — 1: 



A 



N - 1 



Under the case that TV — > oo, the A can be regarded as a 
real number. Then instead of dealing with the Gaussian 



approximation of P(w) we can deal with an approxima- 
tion for P(X), which denotes the distribution of A. The 
Gaussian approximation of P(X) can be directly given by 



P(A) 



N- 1 



y / 2n(N - l)r(l - r) 



exp[ 



{N - l)(r - A) 2 
2r(l - r) 



(59) 

which has the same mean and variance as P(A). 

The lower bound of the secret key rate given by Eq. 
(|56|) can be approximated by 



G> (iV-1) / d\P(X)X 
o 



(60) 



where the Ao = Wq/(N — 1), which can be given by the 
solution to the equation 



d\P(X) 



K 



N - 1 



(61) 



Here Eq. ([BTj) is obtained by putting A into Eq. ([57)). 

It can be seen that when N — > oo, we have P(w 
0) = and ^ = 1. Then Eq. flST]) becomes 



-^0 

J dXP(X) = 1 - S(A) 



(62) 



To find a solution to Eqs. ([6"0")) and ([6^)) . we introduce 
another function F(X): 



F(X) 



P(A), while A < A 
while A > Ao 



(63) 



Then it can be seen that when N — > oo, 
J dXF(X) = 1 - S(A) 

— OO 

F(X) = for A ^ r 



where the expression in the second line can be seen from 
the fact that limjv^oc ^ 2ffJ ^ (1 _ r) e M~ ^iS) ] = for 
A^r. 

We see that F(X) is actually a delta function satisfying 
F(X) = [1 - S(A)]S(X - r). From Eqs. flUD) and lp)) . 
we can finally get the secret key rate for the binomial 
distribution and N — ► oo case. It is given by 



G > (JV - 1) / dXF(X)X 



(64) 



(iV-l)r[l-5(A)]. 



When given that the amplitude of coherent state is 
a and the total transmission probability is rj, then the 
secret key rate per pulse can be given by 



.g>?7M 2 {i-^(i-e- 4H2 )]} 



(65) 
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where we have used Eq. (|50|) . the result that |(— a\a) \ = 
e _4 l Q l and the factor N — 1 is canceled since this is a key 
rate per pulse. From this result it can be seen that the 
lower bound of the secret key rate per pulse is linearly 
proportional to the channel transmission probability. It 
can be calculated that when a = 0.338, the right part in 
the Eq. (|6"5")) is maximized and is given by 0.03577/. Note 
that our result is consistent with the upper bounds on the 
key rate given in Refs. [10, From Ref. [ll|, one can 
easily find that the key generation rate per tranmistted 
pulse of BB84 in the noiseless case scales at a higher 
rate than that of DPSQKD. However, the overall secret 
key generation rate is also determined by the modulation 
rate, and we remark that it is possible that DPSQKD can 
outperform BB84 in the modulation rate, since DPSQKD 
only requires one binary phase modulation at Alice's side, 
while BB84 requires a quaternary modulator at Alice's 
side and a binary or quaternary modulator at Bob's sides 
[HI (the binary modulation is easier to realize than the 
quaternary one.). 



VI. CONCLUSION 

We prove the security for DPSQKD with a weak- 
coherent light source against collective attacks in the 
noiseless case. The only assumption we employ are that 
the quantum theory is true, the device is trusted and 
the key size is infinite. The key point that guarantees 
this scheme to be secure is that Eve's state is indepen- 
dent of the positions of Bob's detections, so that after the 
post-selection, in which Alice and Bob discard the data 
that Bob did not receive a signal for, Bob knows Alice's 
sifted data better than Eve does. In addition, we consider 
a specific case where the total number of Bob's count 
obeys the binomial distribution. In this case, we derive 
the lower bound of the secret key rate per pulse and it is 
linearly proportional to the channel transmission proba- 
bility. This result definitely suggests that DPSQKD has 
a high potential for high speed communication, since it is 
easy to engineer DPSQKD to operate at a high modula- 
tion rate. Although we have only proved the security of 
DPSQKD for the noiseless case, we hope that our work 
can offer some insights into the security of DPSQKD and 
may serve as a stepping stone for proving the security for 
the noisy case. 

Acknowledge: Special thanks are given to Norbert 
Liitkcnhaus and Matthias Hcid for their innumerable 
discussions on security proof. Thanks are also given 
to H.-K. Lo for fruitful discussions. This work is sup- 
ported in part by the National Fundamental Research 
Program of China under Grant No 2006CB921900, Na- 
tional Natural Science Foundation of China under Grants 
No. 60537020 and 60621064, Innovation Fund of the Uni- 
versity of Science and Technology of China under Grant 
No. KD2006005, the Knowledge Innovation Project of 
the Chinese Academy of Sciences (CAS), the Research 
Grants Council of Hong Kong under Grant No. HKU 



701007P, and the Natural Sciences and Engineering Re- 
search Council of Canada. 



APPENDIX A: SUPER SUBADDITIVITY FOR 
THE MULTI-SYSTEM CASE 

Theorem 1. Suppose 0„ = {A\, . . . , A n } is a collection 
of n systems and is a collection of all possible to se- 
lections from n cases. Then it is always true for arbitrary 
n and m < n that 

S(A H ,A i2 ,...,A im \E)> C^S{A 1 ,A 2 , ...,A n \E) 

(Al) 

where i = i 2 , • • ■ , im)> E * s another system, and 

(Jin n\ 

n m\(n—rn)l ' 

This theorem is a generalization of the following lemma 
for subadditivity of Von Neuemann entropy (see, e.g., 

H). 

Lemma 1. For three quantum systems A\, A2, and E, 
S{A 1 \E) + S(A 2 \E) > S(A!,A 2 \E). 

Proof of Theorem [71 We will use induction to prove the 
theorem. First, notice that for m = n, this theorem is 
always true. In the following we will prove that for n and 
m = 1 this theorem holds, which will be called first proof 
(FP) in the following. 

Then we prove if for n and to and m — 1 (m > 1) the 
above theorem is correct, then for n + 1 and to it is also 
correct, which will be called second proof (SP). 

Thirdly, we will prove that if for n — 1 and m = n — 2 
(n > 2) the above theorem is true then for n and m + 1 
it is also valid, which will be called third proof (TP). 

Since for n = 2 and m = 1, the above theorem is true, 
then it is also true for n = 3 and to = 2 by applying the 
TP. 

This theorem is true for n = 3 and to = 2 and n = 3 
and to = 1. Then by applying the SP, we know that it is 
also valid for n = 4 and m = 2 and consequently for all 
of n and to = 2. 

After we continuously do such induction we can see 
that if FP, SP and TP is correct then for all n > m the 
above theorem holds. 

Now we prove the FP first. Observe that for arbitrary 
n and to = 1 , Eq. (|A1|) holds by repeated applications of 
Lemma [1] i.e. 

n 

J2S(A i \E)>S{A 1 ,A 2 ,...,A n \E) (A2) 
i=i 

holds. 

Now we will prove the SP, which is claims that if for 
n and to and to — 1 the above theorem holds, then for 
n + 1 and to it also holds. 

We assume that 0„ + i = {Ai, A n , A n+1 } = 
{Ai, ...,A n ,B}. Here we use B to denote A n+ \. 
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In the following we use to denote the collection of 
all possible m selections in n samples. 
First we have 



T = SiAi^A^.^AijE) 
= ]T S(A ll ,A l21 ... 1 A lm \E) 



+ Y, S(A ll ,A l21 ... 1 A lm _ 1 ,B\E) 

= C + D (A3) 

where i = (ii, i 2 , i m ) denotes a possible m selection 
in n cases and we introduced T, C and £> to denote the 
terms given in the first, second and third line respectively. 
If the theorem is valid for n and m, then we have 

C >^^S(A 1 ,A 2 ,...,A n \E). (A4) 
n 

Now, D can also be given by 

D = S(A ll ,A l2 ,...,A Zm _ 1 \BE) + C™~ 1 S(B\E) 



= Di + C%-' L S{B\E) 



(A5) 



where we have applied the fact that S(A\EB)+S(B\E) = 
S(AB\E) and £ = C*™- 1 . Also, if the above thco- 

rem is correct for n and m — 1 , we have 

Dl >y )±J^ S (A 1 ,A 2 ,...,A n \BE). (A6) 

71 

Here. 



m\(n — m)\ 



(A7) 



Then if we put Eqs. ([A"4]) . |A3|) . (|A"6]l and |A7} into Eq. 
13[) we can immediately get 



n\(n — m + l)m .„, , , „ ,„,„,,,., 



nm\(n — m +1)! 
nlm(m — 1) 
nm\(n — m + 1)! 



[S(A 1 ,A 2 ,..,A„|B£) + S(B|£)]. 



Since the above theorem is correct for n = 2 and m = 
1, we have 

S(AA,-,Ai|.E)+S(.B|.E) > S(A X A 2 ,...,A„,B|£0- 

(A9) 

Then if we put Eq. (fA"9]) into Eq. (|A"8|) and apply the 
results that S(A\EB) + S(B\E) = S{AB\E) and 

n\m(m - 1) _ mC™ +1 



we can obtain 

T> ^S(A 1 ,A 2 ,...,A n ,B\E) 

n + 1 

which says that if for n and m and m — 1, the above 
theorem is correct then for n + 1 and m it is also correct. 
Now the SP is proved. 

Now, we will prove the TP, that is if for n — 1 and 
m = n — 2 (n > 2) the above theorem is true then for n 
and m + 1 it is also true. 

We assume that 9„ = {Ai, A„_i, -B}. Here we use 
-B to denote A n . Then we have that 



^(A^A^..., Aj m , .Aj m+1 l-E 1 ) 



+ ]T S(A n ,A l2 ,...,A Jm ,5|£) 



Dl + S*2 



(A10) 



where the S, Si and £2 are introduced to denote the 
expression in the first, second and third line respectively, 
and in the second line we have used the requirement that 
m = n — 2. 

Since S(A\EB) + S(B\E) = S(AB\E), and £ = 

rim 
u n-li 

5 2 = X] Si^u^r-.^JBE) + C'^SiBlE) 



> 



ra-1 



fS(A 1 A h ... 1 A n „ 1 \BE) + C™_ 1 S(B\E) 

= m[S(Ai A v .., A n _ x \BE) + S(B\E)} + S{B\E) 
= mS(A 1 A h ...,A n -- L ,B\E) + S(B\E) (All) 

where we have applied the assumption that for n — 1 
and m the above theorem is correct and the fact that 
C™_ x =n-l for m = n-2. 

Now we put Eq. ([A"TT|) in to Eq. ifMQj) we can obtain 
that 

+S(A 1 A 2 ,...,A n ^\E) + S(B\E) 
> (m + l)S(A l ,A li ...,A n - 1 ,B\E) 

= (m + 1)C " + S(A u A 2l ...,A n . u A n \E) 
n 

where in the third line we have used the subadditivity for 
n = 2 and m = 1 case. Now the TP is proved. 

Since the assumptions FP, SP and TP hold and the 
initial conditions are satisfied, it is proved that for all 
n > m the above theorem holds. □ 



nm\(n — m+1)! 71 + 1 
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